# Stop Vendor Payment Fraud From Bank-Detail Changes | RankShield Financial

> A supplier emails that their bank details changed and the invoice is real. Here is how to verify the payee and prove approval before you pay.
>
> Source: https://rankshieldfinancial.com/resources/vendor-payment-fraud-bank-details-changed/ · RankShield Financial (verifiable pre-settlement payment security)

RankShield Network · Financial · Payment Fraud
# How to Stop Vendor Payment Fraud When a Supplier’s Bank Details Change

A supplier emails that their bank details changed and the invoice is real. Here is how the scam works, why the standard advice now fails on instant rails, and how to verify the payee and the approval before you pay.
   By  Jamie Kloncz  Founder, RankShield Financial    July 20, 2026 · 12 min read        Key takeaways
- Vendor payment fraud is a real, authorized payment to a fraudster who changed a supplier’s bank details, usually by email. The FBI recorded $3.046 billion in BEC losses across 24,768 complaints in 2025, with 86 percent moving by wire or ACH.
- It defeats bank fraud controls because the payment is authorized and looks normal. Nothing about it is anomalous to your bank at the moment it clears.
- The standard advice to call a known number still matters, but on instant rails the payment can be final before the call-back is finished. The Nacha fraud-monitoring rules that took effect in June 2026 now require every business that originates payments to screen for transactions initiated under false pretenses.
- Smaller businesses are more exposed per dollar, not less. The 2026 AFP survey found 74 percent of organizations were hit by business email compromise, and 48 percent of firms under $1 billion in revenue took a fraud loss.
- You cannot fully prevent a deceived approver from paying; the achievable goal is to verify the payee and the approval before settlement and to keep evidence of the decision, which is what RankShield Financial is built to do.

Vendor payment fraud is the scam where your business sends a real payment to a fraudster who changed a supplier’s banking details, usually by email. Nobody breaks into your bank. Someone spoofs or takes over a vendor’s inbox, sends a message that the account for an open invoice has changed, and your team updates the vendor record and pays the next run to the wrong account. It is a form of business email compromise, and the FBI’s Internet Crime Complaint Center reported $3.046 billion in reported BEC losses across 24,768 complaints in 2025, with 86 percent of the money moving by wire or ACH 1 . The payment itself is authorized and looks completely normal, which is why bank controls built to catch account takeover do not catch it. This guide explains how a banking-detail change becomes a theft, why the standard advice to call a known number now fails on instant rails, how to verify a change the way the FBI and Nacha recommend, and why the durable defense is verifying the payee and the approval before the payment settles rather than scoring it after. One honest note up front: no tool removes human judgment from the equation, because the deception targets the person who approves the payment. What verification does is make the unsafe step unskippable, hold a changed payee before release, and produce a record of exactly who approved what.

## What vendor payment fraud is, and how a bank-detail change becomes a theft

Vendor payment fraud, also called supplier impersonation or vendor email compromise, is a scam that gets your accounts payable team to send a legitimate payment to the wrong bank account. The attacker does not need your banking credentials. They need one thing: for your team to believe that a supplier you already pay has new banking details. They spoof or take over the vendor’s email, reference a real open invoice, and ask you to update the account before the next run. Your team updates the vendor master and pays. Two days later the real supplier asks where their money is.

The reason this works is that the payment is authorized and ordinary. Your bank sees the right originator, a known vendor record, and a plausible amount, so there is nothing to flag. The fraud does not live in the transaction data; it lives in the changed record and the email that justified it. That is the difference between account takeover, which throws off anomalies a fraud engine can catch, and this, which does not. Attackers often sit inside a compromised mailbox for weeks first, reading real invoice threads so the request lands at the right moment with the right details. By the time anyone doubts the email, the money has moved.

## Why the standard advice to call a known number now fails on instant rails

The advice to verify a banking-detail change by calling a number you already trust is correct, and it is still the single most effective manual control. The problem is timing. On instant payment rails the money can be gone before the call-back is finished, because settlement is final in seconds. The Clearing House’s RTP network set a single-day record of 2.27 million payments worth $8.62 billion on May 1, 2026 2 , and the Federal Reserve’s FedNow service now reaches over half of all U.S. checking and savings accounts 3 . Once a payment settles on those rails there is no clawback to wait for.

Regulation has moved to meet the risk. Nacha’s fraud-monitoring rules, whose second phase took effect in June 2026 for all remaining non-consumer originators 4 , require businesses to screen for payments initiated under false pretenses, which Nacha defines as inducing a payment by misrepresenting an identity, an authority to act, or the ownership of an account. That is a precise description of the vendor bank-change scam. The rule pulls the control earlier, toward the moment before release, because on these rails a check that arrives after settlement is a report, not a defense. A call-back that clears the payment an hour later cannot recall money that left in seconds.

## How to verify a banking-detail change the way the FBI and Nacha recommend

The controls that stop this fraud are well documented, and they share one principle: never let the email that requested the change be the thing that verifies it. The FBI and Nacha both point to out-of-band verification and dual control as the primary defenses. In practice, four steps close most of the gap, and each one removes a way the scam succeeds under pressure.

The reason these steps fail in real life is not that teams do not know them. It is that the manual version breaks under urgency and volume, which is exactly the condition the attacker engineers. At a small or mid-sized business the person updating the vendor record is often the same person who approves the payment, so separation of duties does not exist by default. The fix is to make the unsafe path impossible rather than discouraged: a banking-detail change that arrived by email does not clear on its own, and the payee has to match a record you verified through a channel the attacker does not control.

- Verify out of band. Confirm any banking-detail change using a phone number from your existing vendor file or the supplier’s official site, never a number or link in the request email.
- Separate the duties. The person who edits a vendor’s bank details must not be the person who approves the payment. Require a second, named approver on any change.
- Hold the first payment. Apply a short cooling-off period so the first payment to changed details is held for verification rather than released on the next run.
- Prove the approver. Keep a record that a specific, authorized person approved this specific payee and amount, so a change can be traced and defended later.

## Why recovery fails once the payment settles, and what the numbers say

Recovery is a backstop that works sometimes, and it is not a control you can plan around. When a fraud is reported quickly, the FBI’s Recovery Asset Team can try to freeze funds, but that path only covers victims who report in time and whose money is still inside the freeze window, a fraction of total losses. On instant and irreversible rails the practical window is measured in minutes, and fraudsters move the money onward through mule accounts immediately. Once value settles to an account the fraudster controls, there is usually nothing left to reverse.

The exposure is not limited to large enterprises. The 2026 AFP Payments Fraud and Control Survey found that 74 percent of organizations experienced business email compromise and 48 percent of firms under $1 billion in revenue took a fraud loss 5 . Smaller firms are more exposed per dollar because they rarely have a dedicated fraud or treasury team, their accounts payable process is manual, and one person can often originate a payment. The FBI’s guidance assumes someone has the time to call a verified number and get a second approval on every banking change. At an understaffed AP desk under a deadline, that is exactly the step that gets skipped.

## Verifying the payee and the approval before the money moves

The durable answer to vendor payment fraud is to verify the payment before it settles rather than to score it for risk after. That means checking the intent behind the payment, who is paying, who is being paid, how much, and why, against the vendor record you already trust, and requiring proof that a real, authorized person approved this specific payee and amount before release. A banking-detail change that arrived by email does not clear on its own, and a payee that does not match your verified record is held, not sent. This is the same out-of-band and dual-control logic the FBI recommends, made automatic and unskippable so it holds under the urgency the scam depends on.

This is where RankShield Financial fits. It sits in the authorization path as a verification and attestation layer, not a wallet or a processor, and it never takes custody of your funds; your existing rails and bank still move the money. It verifies the payee and proves an authorized approval [for the invoice and vendor fraud](https://rankshieldfinancial.com/invoice-fraud-prevention/) case before release, and it seals a signed, tamper-evident record of the decision. Unlike a private fraud score you have to trust, a verdict on the RankShield Network is independently verifiable, so an examiner, an insurer, or a partner can check it rather than take it on faith. That shared signal compounds as members join, rather than claiming a scale we have not yet reached. The signing is quantum-safe by construction, not quantum-proof, and the goal is honest: reduce exposure, hold the changed payee [before it settles](https://rankshieldfinancial.com/pre-settlement-payment-verification/), and produce evidence of exactly who approved what. If you run payments and want to verify the payee before the money moves, you can [request access](https://rankshieldfinancial.com/contact/).

## The one habit that closes the gap

If your business does one thing after reading this, make a banking-detail change a verified event rather than an email you action. Treat every request to change where a supplier gets paid as unverified until a named person confirms it through a channel the requester did not provide, and hold the first payment to new details until that happens. That single habit turns the scam’s favorite moment, an urgent change right before a payment run, from a fast win for the attacker into a step they cannot get past. The rails are only getting faster and more final, and the Nacha rules now expect this screening from every business that originates payments. Verifying the payee and the approval before release is no longer a nice-to-have; it is the control the moment requires.
       FAQ
## Frequently asked questions

Every question buyers ask before they trust a payment-security platform, answered directly.
           JAMIE KLONCZ · RANKSHIELD FINANCIAL           ONLINE
Pick a question on the left, or search above. You will get the direct answer, the way an answer engine would give it.
      REQUEST ACCESS →           References
- [FBI IC3, 2025 Internet Crime Report (BEC $3.046B, 86% wire/ACH)](https://www.ic3.gov/AnnualReport/Reports/2025_IC3Report.pdf)
- [The Clearing House, RTP Network record $8.62B single day, May 1, 2026](https://www.theclearinghouse.org/payment-systems/Articles/2026/05/RTP-Network-Marks-May-Day-with-Record-Breaking-Volume-and-Value)
- [Federal Reserve, FedNow Service participants (reaches over half of U.S. accounts)](https://www.frbservices.org/financial-services/fednow/organizations)
- [Nacha, Risk Management Topics: Fraud Monitoring Phase 2 (false pretenses, effective June 2026)](https://www.nacha.org/rules/risk-management-topics-fraud-monitoring-phase-2)
- [AFP, 2026 Payments Fraud and Control Survey (74% BEC; 48% of sub-$1B firms took a loss)](https://www.financialprofessionals.org/training-resources/resources/survey-research-economic-data/details/payments-fraud)

         Verify, then settle
## See your payments verified before they settle.

RankShield Financial is rolling out with design partners on instant and tokenized rails. Request access and we’ll map it to your settlement flow.
  Request access  How it works

## Frequently asked questions

### Is a vendor email saying their bank account changed a scam?

It may be, and you should treat every such request as unverified until you confirm it. Vendor payment fraud works by getting your team to update a supplier’s banking details based on an email, then paying the next invoice to the fraudster’s account. The message often comes from the supplier’s real address, references a genuine open invoice, and creates urgency before a payment run. Do not reply to the email or call a number inside it. Verify the change using a phone number from your existing vendor file or the supplier’s official website, and require a second approver before the vendor record is changed.

### How do you verify a change to a vendor’s banking details?

Verify it out of band, meaning through a channel the requester did not provide. Call the supplier on a number you already have on file or from their official website, not a number or link in the change email, and confirm the new account with a named contact. Apply dual control so the person who edits the vendor’s bank details is not the person who approves the payment, and hold the first payment to changed details for a short cooling-off period. The FBI and Nacha both point to out-of-band verification and dual control as the primary defenses, because the email that requested the change can never be the thing that verifies it.

### Can we get the money back if we already paid a fake invoice?

Sometimes, but you should act immediately and not count on it. Contact your bank the moment you realize what happened and ask whether the payment can be recalled, and report it to the FBI’s IC3 so the Recovery Asset Team can try to freeze the funds. Recovery only works for victims who report in time and whose money is still inside the freeze window, which on instant rails can be minutes, because fraudsters move funds onward through other accounts quickly. Once a payment settles to the account the fraudster controls, there is usually nothing left to reverse, which is why verification before settlement matters more than recovery after it.

### Does Positive Pay stop vendor payment fraud?

No, not this kind. Positive Pay is a bank control that compares presented checks, and in its ACH form the accounts and amounts you authorize, against a file you provide, so it catches altered checks and unknown debits. Vendor payment fraud is different: the payment is one you authorized, to a payee that looks legitimate because you were tricked into updating the record. Positive Pay confirms the payment matches what you told the bank to expect; it cannot tell you that what you told the bank to expect is itself the result of a scam. Stopping vendor impersonation requires verifying the payee and the approval before the payment is released.
